Deciphering
Glyph
( )
twistd make me a sandwich

Fri 06 April 2007

The UNIX security model sucks.

Unfortunately, we are likely to be stuck with it for the next hundred quintillion years, it will outlive the sun and possibly humanity as we flee to other stars and trade our technology to species across the galaxy.  I understand this fact.  I can live with it.

Still, we must be able to do better than the current tools, like sudo.  I have had a variety of Twisted-based ideas for this kicking around in the back of my head for a while.

Imagine a Twisted daemon that ran at boot, seteuid and setegid to "nobody", but retaining root privileges.  spawnProcess already supports switching UIDs for your subprocess.  Instead of running subprocesses directly, you could run a Twisted client program which would connect to the root daemon and ask it to do something for you.

Such a daemon could be used for more than just 'sudo'.  Most of the tasks currently reserved for 'init', such as run-parts, could be run as "nobody" instead, with start-stop-daemon asking to run specific commands as root.  You could eliminate just about every "suid" binary by having all the binaries themselves be non-SUID, but distributed with security rules that allow their execution in specific restricted contexts.

Since security rules could be implemented in Python, it would be easy to have flexible policy declarations, like, "/usr/bin/foobar can always run /usr/sbin/bazqux processes as the 'foobar' user when run by people in the 'xyz' group".  This avoids giving unrestricted system access to either members of the 'xyz' group, or anyone who can exploit the 'foobar' executable.  Ideally programs could be distributed with their own security rules rather than, as sudo does, making separating privileges the administrator's responsibility.

Of course I have no time to implement this, nor to advocate it to the dozens of very high-profile projects which would need to adopt it in order for it to be useful.  I wish that I could, though, every time sudo lets me run two commands as root in a row because it would be too inconvenient to type my password a second time.